On 17-Feb-22 04:06, G.W. Haywood wrote:
Yes, the issue with HE is that while they will delegate reverse zones to you, they don't accept DS records. So you can sign your zones, but there is no signature chain to the root.Hi Grant,On Thu, 17 Feb 2022, Grant Taylor wrote:Please clarify if you are talking about DNSSEC for your own zone that they are doing secondary transfers of or if you are talking about DNSSEC for the IPv6's reverse DNS namespace that they delegate to you.Ah, good point Grant. The reverse zones are delegated to us but they aren't signed.
Before ISC retired DLV, it was possible to use that path - and I did. But unfortunately that ship has sailed.
dnsviz shows that HE hasn't signed its reverse zone. That would be a prerequisite to DNSSEC for zones it delegates to customers, as would be a mechanism for submitting DS records to HE.
The issue has been open for (almost) 12 years. I haven't seen any updates from HE since the incoherent reply in the thread at https://forums.he.net/index.php?topic=890.msg22055#msg22055
It's rather difficult to exert pressure on a vendor that's providing a free service. But enough polite requests might help.
Perhaps further discussion of this belongs elsewhere...it seems to be wandering from BIND.
Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.
OpenPGP_signature
Description: OpenPGP digital signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
